Front page | perl.perl5.porters |
Postings from October 2016
On Tue Aug 23 19:48:57 2016, dcollinsn@gmail.com wrote:
> Detected using AFL and libdislocator, but reproducible with valgrind
> and an uninstrumented perl.
>
> The following regex causes a length-1 buffer to be allocated, but the
> second element of that buffer to be read, at two different points in
> S_regmatch. The buffer in question is reginfo->info_aux->poscache:
>
> perl -e '/0*()*(||0(?0))^*0^+|(?0)(?0)/'
>
> The only visible output of this script is the message:
>
> But under debugging tools:
>
> %% VALGRIND %%
>
> ==40309== Invalid read of size 1
> ==40309== at 0xCB7E52: S_regmatch (regexec.c:7471)
> ==40309== by 0xCB7E52: S_regtry (regexec.c:3619)
> ==40309== by 0xD1A01D: Perl_regexec_flags (regexec.c:3486)
> ==40309== by 0x8FD147: Perl_pp_match (pp_hot.c:1836)
> ==40309== by 0x7E0833: Perl_runops_debug (dump.c:2234)
> ==40309== by 0x53A0D8: S_run_body (perl.c:2525)
> ==40309== by 0x53A0D8: perl_run (perl.c:2448)
> ==40309== by 0x429A47: main (perlmain.c:123)
[...]
The docs added by davem in 1cb95af7 say:
* The top 4 bits of scan->flags byte say how many different
* relevant CURLLYX/WHILEM op pairs there are, while the
* bottom 4-bits is the identifying index number of this
* WHILEM.
.. and the code certainly appears to think that, using the top 4 bits to decide the size of poscache to malloc, and the bottom 4 bits to decide the index to look at. The invalid read occurs here because scan->flags == 0x3b, so something is violating that expectation; I don't yet know whether the expectation was wrong in the first place or something is abusing it.
Hugo
---
via perlbug: queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=129061